CVE-2016-6233

NameCVE-2016-6233
DescriptionThe (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zendframework (PTS)jessie, jessie (lts)1.12.9+dfsg-2+deb8u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zendframeworksourcewheezy(not affected)
zendframeworksourcejessie(not affected)
zendframeworksource(unstable)1.12.19+dfsg-1

Notes

[jessie] - zendframework <not-affected> (introduced after 1.12.9)
[wheezy] - zendframework <not-affected> (introduced after 1.12.9)
http://framework.zend.com/security/advisory/ZF2016-02
https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967

Search for package or bug name: Reporting problems